Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New Decryptor Unlocks CryptXXX Ransomware

Researchers at Kaspersky Lab today published a decryptor that recovers files encrypted by the CryptXXX ransomware.

When exploits kits, in particular Angler, spread ransomware infections, people get nervous.

The latest strain to appear in the virulent Angler kit is CryptXXX, which researchers at Proofpoint and Fox IT tied to the same group dropping old-school Reveton ransomware and Bedep click-fraud malware.

CryptXXX asks for a steep $500 in Bitcoin to unlock files it has encrypted, and given Angler’s penetration and frequent updates, CryptXXX quickly stepped to the forefront as ransomware to watch.

CryptXXX is particularly nasty because it not only encrypts local files (encrypted files have a .crypt extension), but also those on all attached storage shortly after the initial infection. The malware also has other capabilities beyond encrypting local files. It copies files putting the victim at risk for identity theft and steals Bitcoins stored on the local hard drives.

Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, said the malware contained an undisclosed weakness in the malware’s crypto implementation that opened the door to the development of the decryptor. The decryptor was added to an existing ransomware utility that also recovers files lost to Rannoh, AutoIt, Fury, Crybola, and Cryaki.

“It looks dangerous because of Angler (i.e. it has a potential for massive propagation),” Sinitsyn said. “Also, it has additional functionality to steal sensitive data, which is another big threat, even if the victim manages to decrypt the files.”

Sinitsyn said, the decryptor requires at least one original copy of a file encrypted by CryptXXX.

“If given a correct pair, the utility will decrypt all files with size less than or equal to the size of the file from the pair,” Sinitsyn said. “Most of the time the victim manages to find an original copy of one encrypted file. It can be on a disconnected flash drive, external hard drive, in their mailbox, in a cloud storage, on another PC, etc. In case of CryptXXX, if the victim finds a large original, it will allow to decrypt all affected files of this size or smaller.”

CryptXXX was spotted by Proofpoint researchers on April 15 when an Angler infection that was moving Bedep was also moving a ransomware payload and Dridex banking malware, the company said in a blog post.

The presence of Bedep tipped the researchers off that there may be more at play with CryptXXX. Bedep has been used in numerous other attacks to drop other malware such as the Pony password-stealing malware. In this case, Proofpoint said CryptXXX harvests data from instant messenger clients, local FTP client credentials, data from local mail clients, and browser information, including cookie data.

Reventon ransomware has been relatively quiet since February 2015 when it was spotted in Angler infections. Proofpoint noted a half-dozen similarities between Reveton and CryptXXX such as both are written in Delphi, both use the same custom command and control protocol and both have a delayed start before targeting attached storage.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.